Note that the matching instruction may not exist or may not have been recorded in current trace.

The plugin codename will be percent (referring to vi’s ‘%’ for “goto match”)

Getting called by REVEN Axion

REVEN Axion plugin basics:

REVEN Axion will call plugin’s REVEN Axion_callback() function if it exists when the shortcut associated with a plugin is triggered (multiple commands by plugin is still achievable through register_command from the plugin API).

Now that we have our execution point, we can query more data from
REVEN project instance. Let’s define a function
get_matching_instruction(client, point) which will return the matching instruction’s execution point or None.

None is returned if no matching instruction exists or if the matching execution point is not present in current execution trace.

Pedantic instruction matching

With the current implementation, if a pushed value is read before the pop, the match would be the first reading instruction and not the actual pop. To get the true pop - if it exists - we could monitor esp value by channeling run_search_next_register_use calls to find a greater or equal value for esp. This way, we would even be able to find a pop disguised as an esp increment (add esp, 0x4).

Conclusion

In this article, we’ve seen how one can easily implement simple heuristics to add specific functionality to REVEN Axion, thanks to its Python API.

This widget did not require a graphical interface, but had it been the case we could have created our own custom widgets using PythonQt and connected them to REVEN Axion.